Articles

On June 30, 2015, the FFIEC released a new Cybersecurity Assessment Tool.  The tool is designed to help financial institutions, such as banks and credit unions, identify their inherent cybersecurity risk and assess their cybersecurity preparedness.  The release of the tool comes on the cusp of last year's pilot assessment on cybersecurity preparedness at more than 500 financial institutions. 

The FFIEC Cybersecurity Assessment Tool (Assessment) is comprised of the following pdf documents:

While the Assessment is not required, it is encouraged to help financial institutions perform a self-evaluation of their cybersecurity inherent risk and maturity.  Executive management and board oversight are also a major theme of the tool.   

CEO and Board Responsibilities:

No one really knows where the term APT orginated. Advanced Persistent Threats, or APT, can likely be traced back to the United States government, as the term originated about the time our federal government started to acknowledge the infiltration of foreign adversaries into government networks, and when several major U.S. corporations were hit with "low and slow" style attacks. The break in at RSA in 2011, was one of the first highly publicized hacks that referred to APT as the means. Once out of the bag, security product vendors picked up on the term APT to coax customers into reactionary purchases to help defend against the new threat.

Everyone can relate to being on a long road trip and wondering, "Are we there yet?" In fact, I am quite sure that many of us feel this way about the journey towards a strong cybersecurity program. The FFIEC has stressed, and continues to stress, the importance of a top-down approach to cybersecurity risk management, meaning executiv

es and board members are not only involved in the cybersecurity program, they are responsible for it. Below are four questions that board members and executives should consider.

What cybersecurity-related information is making it to the top?

 "I don't want to work on this. I think it is a waste of time." These were the opening lines from a department manager as we met to work on details of the Business Impact Analysis (BIA) I was helping to develop for a Business Continuity Plan (BCP). Next came, "If something bad happens you have to be smart and figure out how to fix it rather than try to look it up in some big book." I was surprised. This "negative brick wall" was coming from a top employee—good attitude, highly competent, and an excellent work ethic.

What would you do or say? Keep on reading and I will tell you what I have learned.

 When was the last time your kitchen was filled with smoke? Burned toast? Food spills burned in the oven? Sauté resulted in a burnt offering? Whenever it was, after any fire danger was over, you probably started opening windows and doors to clear the smoke.

Are you also ready to clear "cyber smoke?" Often Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks create smokescreens as distractions to conceal the real exploits of malware insertion, unauthorized data access, or fraud. If successful, both attacks create the same problem, a disruption of service. DDoS is more powerful and is harder to control as it enlists hundreds or thousands of captured computers in its attacking army.

With the FFIEC's addition of Appendix J to its Business Continuity Planning (BCP) HandBook, many of us were left wondering if they actually meant to put the appendix in one of the handbooks related to vendor management.  The four major sections of Appendix J are even titled Third-Party Management, Third-Party Capacity, Testing with Third-Party TSPs (Technology Service Providers), and Cyber Resilience.  With the exception of Cyber Resilience, they all sound like they belong in your vendor manager's lap, and the idea that something belongs in one person's lap may be part of the problem.

 February saw a new appendix added to the FFIEC's Business Continuity Planning (BCP) HandBook.  Appendix J: Strengthening the Resilience of Outsourced Technology Services marries two areas of information security that banks have been working on for years – vendor management and business continuity.  As cloud computing and the outsourcing of technology services become more and more common, banks are depending on vendors for extremely critical aspects of business.  Creating a BCP with recovery expectations without considering a vendor's (or multiple vendors') restoration abilities would be bad planning on the bank's part and could result in unhappy surprises should a disaster or business interruption occur.

The new appendix consists of four areas regarding outsourced technology services and business continuity:

Do you know who governs the Internet? Someone has to do it. Thanks to ICANN, the Internet maintains an appropriate level of organization and structure, while still being a place of intellectual freedom. ICANN is the Internet Corporation for Assigned Names and Numbers. ICANN is an oversight body that ensures unification of the Internet in many ways, namely, policy development for existing and new generic top-level domains (gTLDs).

In 2008, ICANN approved a program to open the Internet to thousands of new gTLDs (that's your .com, .org, .edu, and the like). Then in 2011 ICANN launched the New gTLD Program. The program's goals include enhancing competition, consumer choice, and innovation through the introduction of new gTLDs.

The news over the last several years has been filled with data compromises at a number of high profile American companies, including a few banks. A number of these compromises were due to cyber attackers using malware to gain a foothold on a machine on the internal network, then using that machine as an observation point to further learn about and exploit the systems housing sensitive data. And, as we've learned, the malware we don't know about is the most dangerous kind. This trend puts signature based antivirus products at a disadvantage, since they are primarily designed to detect known malware.